lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20190118020006.GB2814@dhcp-128-65.nay.redhat.com>
Date:   Fri, 18 Jan 2019 10:00:06 +0800
From:   Dave Young <dyoung@...hat.com>
To:     Mimi Zohar <zohar@...ux.ibm.com>
Cc:     Kairui Song <kasong@...hat.com>, linux-kernel@...r.kernel.org,
        dhowells@...hat.com, dwmw2@...radead.org,
        jwboyer@...oraproject.org, keyrings@...r.kernel.org,
        jmorris@...ei.org, serge@...lyn.com, bauerman@...ux.ibm.com,
        ebiggers@...gle.com, nayna@...ux.ibm.com,
        linux-integrity@...r.kernel.org, kexec@...ts.infradead.org
Subject: Re: [PATCH v3 0/2] let kexec_file_load use platform keyring to
 verify the kernel image

On 01/18/19 at 09:35am, Dave Young wrote:
> On 01/17/19 at 08:08pm, Mimi Zohar wrote:
> > On Wed, 2019-01-16 at 18:16 +0800, Kairui Song wrote:
> > > This patch series adds a .platform_trusted_keys in system_keyring as the
> > > reference to .platform keyring in integrity subsystem, when platform
> > > keyring is being initialized it will be updated. So other component could
> > > use this keyring as well.
> > 
> > Remove "other component could use ...".
> > > 
> > > This patch series also let kexec_file_load use platform keyring as fall
> > > back if it failed to verify the image against secondary keyring, make it
> > > possible to load kernel signed by third part key if third party key is
> > > imported in the firmware.
> > 
> > This is the only reason for these patches.  Please remove "also".
> > 
> > > 
> > > After this patch kexec_file_load will be able to verify a signed PE
> > > bzImage using keys in platform keyring.
> > > 
> > > Tested in a VM with locally signed kernel with pesign and imported the
> > > cert to EFI's MokList variable.
> > 
> > It's taken so long for me to review/test this patch set due to a
> > regression in sanity_check_segment_list(), introduced somewhere
> > between 4.20 and 5.0.0-rc1.  The sgement overlap test - "if ((mend >
> > pstart) && (mstart < pend))" - fails, returning a -EINVAL.
> > 
> > Is anyone else seeing this?
> 
> Mimi, should be this issue?  I have sent a fix for that.
> https://lore.kernel.org/lkml/20181228011247.GA9999@dhcp-128-65.nay.redhat.com/

Hi, Kairui, I think you should know this while working on this series,
It is good to mention the test dependency in cover letter so that reviewers
can save time.

BTW, Boris took it in tip already:
https://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git/commit/?id=993a110319a4a60aadbd02f6defdebe048f7773b

> 
> Thanks
> Dave

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ